Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Wednesday, March 18th 2020

Trickbot gtag red5 distributed as a DLL file

Published: 2020-03-18
Last Updated: 2020-03-18 01:22:44 UTC
by Brad Duncan (Version: 1)
0 comment(s)


Trickbot is an information stealer/banking malware that uses modules to perform different functions.  With Windows 10, these modules are loaded into memory, and we only see initial Trickbot binary and a text-based configuration file stored on the infected Windows 10 host.

Access to Trickbot-infected hosts is granted to other criminals groups to distribute other malware like Ryuk ransomware.  This sort of follow-up malware has previously been noted in conjunction with Powershell Empire traffic and/or Cobalt Strike activity on a Trickbot-infected host.

But today's diary focuses on one of the distribution methods for the initial Trickbot infection.

Last month on 2020-02-25, I ran across an example of Trickbot (gtag red4) distributed as a Windows DLL file.  Normally, I see Trickbot distributed as an Windows EXE.  2020-02-25 was the first time I personally saw Trickbot distributed and made persistent as a DLL.

On Tuesday 2020-03-17, I ran across another example of Trickbot as a DLL.  This time, it was gtag red5, and I've documented the occasion in today's ISC diary.

Of note, a Trickbot sample's "gtag" indicates its specific method of distribution.  The "red" series gtag has been noted with Trickbot as a DLL file distributed using a JSE downloader.  The image below shows a flow chart for my infection on Tuesday 2020-03-17.

Shown above:  Flow chart for this specific gtag red5 Trickbot infection chain.

Images from the infection

Shown above:  Screenshot of the Word document that kicked off this Trickbot infection.

Shown above:  Enabling macros caused the Word document to save a copy of itself.

Shown above: Meanwhile, I found a JSE file that acted as a malware loader in a newly-created directory named C:\netstats\.

Shown above:  The JSE-based loader PressTableList.jse appears to be highly-obfuscated.

Shown above:  HTTPS/SSL/TLS traffic generated by PressTableList.jse filtered in Wireshark.

Shown above:  Certificate issuer data from HTTPS/SSL/TLS traffic caused by PressTableList.jse.

Shown above:  About 1 hour after the initial infection, I saw signs of a Trickbot infection.

Shown above:  Shortly before the Trickbot traffic, I found evidence of a Trickbot binary saved to the infected Windows host.

Shown above:  The scheduled task to keep Trickbot persistent indicates this Trickbot binary is a DLL.

Shown above:  More Trickbot traffic, including HTTP requests over TCP port 8082 that reveal this Trickbot is gtag red5.

Shown above:  HTTP requests ending in .png that returned follow-up Trickbot binaries (these were EXE files, not DLL or PNG).

Indicators of Compromise (IoCs)

Traffic from an infected Windows host:

JSE loader traffic:

  • 185.216.35[.]10 port 443 - HTTPS/SSL/TLS traffic

Trickbot infection traffic:

  • port 80 - api.ipify[.]org - GET / [ip address check by the infected host, not inherently malicious]
  • 51.254.164[.]245 port 443 - HTTPS/SSL/TLS traffic
  • 146.185.253[.]176 port 447 - HTTPS/SSL/TLS traffic
  • 181.129.104[.]139 port 449 - HTTPS/SSL/TLS traffic
  • 46.4.167[.]250 port 447 - attempted TCP connections but no response from the server
  • 64.44.51[.]113 port 447 - attempted TCP connections but no response from the server
  • 203.176.135[.]102 port 8082 - 203.176.135[.]102:8082 - POST /red5/[host name]_[windows version].[32-digit hex string in ASCII]/90
  • 203.176.135[.]102 port 8082 - 203.176.135[.]102:8082 - POST /red5/[host name]_[windows version].[32-digit hex string in ASCII]/81/
  • 51.89.115[.]101 port 80 - 51.89.115[.]101 - GET /images/cursor.png
  • 51.89.115[.]101 port 80 - 51.89.115[.]101 - GET /images/imgpaper.png

Malware/artifacts from an infected Windows host

SHA256 hash: 08b885ccc3eda61a918bd1887b7669e54d03be79a3accae765c10cd0850ff10d

  • File size: 270,883 bytes
  • File name: Info_17033267714.doc
  • File description: Word doc with macro for JSE downloader

SHA256 hash: c0fe570561cc3546ed7e03523baf5e482ec9ee98e6a8de161fdc885f6721f0a0

  • File size: 49 bytes
  • File location: C:\netstats\PressTableList.cmd
  • File description: CMD script to run PressTableList.jse
  • File content: cscript //nologo c:\netstats\PressTableList.jse
  • Note: Not malicious by itself

SHA256 hash: 36ef77fe7b4a27813c8149674565f60aceb2fa9510e04732ef53367ce3dc567a

  • File size: 356,006 bytes
  • File location: C:\netstats\PressTableList.jse
  • File description: JSE-style malware downloader

SHA256 hash: 445716d2fdd0cc8927c02bda53f44cba82f3a934d1a6cb9163760544b3e515e9

  • File size: 636,416 bytes
  • File location: C:\Users\[username]\AppData\Local\Temp\d26db78fApo6057.pif
  • File location: C:\Users\[username]\AppData\Roaming\ElAts\rzd26db78fApo6057nn.vgy
  • File description: DLL file retrieved by JSE-style downloader, this is Trickbot gtag red5

SHA256 hash: 262cf3e4da865ff7b028d2f1be407d1d37008644ee89c3e16f4b873e6cde344c

  • File size: 20,541 bytes
  • File location: C:\Users\[username]\AppData\Roaming\ElAts\settings.ini
  • File description: Configuration/settings file used by Trickbot, different file hash and content for each infection. This is not inherently malicious on its own.

SHA256 hash: efb75ce7030fc32190909048fcb3fab024cb8779b9559a417b8d397352ae6ea2

  • File size: 696,371 bytes
  • File location: hxxp://51.89.115[.]101/images/cursor.png
  • File description: Follow-up Trickbot EXE (gtag: tot698) returned from URL ending in .png

SHA256 hash: 3850e5731f9f1430eafd477b5e0607aad48f80bb28e32d163b941414db7f1695

  • File size: 696,371 bytes
  • File location: hxxp://51.89.115[.]101/images/imgpaper.png
  • File description: Follow-up Trickbot EXE (gtag: lib698) returned from URL ending in .png

Final words

A pcap of the infection traffic along with the associated malware can be found here.


Brad Duncan
brad [at]

Keywords: Trickbot Word macro
0 comment(s)
Diary Archives